InnoCraft

How should I write my privacy notice for Matomo Analytics under GDPR?

Important note: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to show you an example of a privacy notice for Matomo under GDPR. This work comes from our interpretation of the UK privacy commission: ICO. It cannot be considered as professional legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information.

A basic rule of thumb is that if you are not processing personal data, then you do not need to show any privacy notice. But if you are doing so, such as processing full IP addresses, then a privacy notice is required at the time of the data collection. Please note that personal data may also be hidden, for example, in page titles or page URLs.

In this blog post, we will define what a privacy notice is according to GDPR and how to write it if you are using Matomo and you are processing personal data.

What is a privacy notice under GDPR?

One of the most important rights that a data subject has under GDPR, is the right to be informed about the collection and use of their personal data.

“You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.”

“When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.”

The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).

The recipients or categories of recipients of the personal data.

The details of transfers of the personal data to any third countries or international organisations (if applicable).

The retention periods for the personal data.

The rights available to individuals in respect of the processing.

The right to withdraw consent (if applicable).

The right to lodge a complaint with a supervisory authority.

The source of the personal data (if the personal data is not obtained from the individual it relates to).

The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).

The details of the existence of automated decision-making, including profiling (if applicable).

Pretty long, don’t you think? In order to reduce it, you can either adopt a layered approach where your “pop-up” window will act as a drop down menu. Or from what we understood, page 5 of this document provided by ICO, a privacy notice can link to a more detailed document, such as a privacy policy page.

Examples

Let’s take the example of a website which tracks the non-anonymised full IP address, and using User ID functionality to keep track of logged-in users. Under GDPR, the owner of the website will have to choose either to process personal data based on “Legitimate interests” or on “Consent”. Here is how it will look like:

Example of a privacy notice under GDPR Legitimate interests

This site uses Matomo to analyze traffic and help us to improve your user experience.

We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform. Please read our Privacy Policy to learn more.

Example of a privacy notice under GDPR Consent

This site uses Matomo to analyze traffic and help us to improve your user experience.

We process your email address and IP address and cookies are stored on your browser for 13 months. This data is only processed by us and our web hosting platform.

[Accept] or [Opt-out]

Please read our Privacy Policy to learn more.

Once that information is provided to the user, you can then link it to your privacy policy where you will provide more details about it. Soon we will issue a blog post dealing with how to write a privacy policy page for Matomo.

Share this post

Subscribe to our newsletter to receive regular information about Matomo. You can unsubscribe at any time from it. This service uses MadMimi. Learn more about it within our privacy Policy page.

Become a partner

Privacy

Sign up for our newsletter

We are constantly adding new features and content to the leading All-In-One Analytics Platform that gives you control over your data. If you want to stay up to date with everything that is happening, feel free to subscribe below. You can unsubscribe at any time from it. The newsletter service uses MadMimi. Learn more about it within our privacy Policy page.